…plant. [180] The group has also used PowerShell to perform Timestomp ing. [181] G0027 Threat Group-3390 Threat Group-3390 has used PowerShell for execution. [182] G0076 Thrip Thrip leveraged PowerShell to run commands to download payloads, traverse the compromised networks, and c…

…spawned shells on remote systems on a victim network to execute commands. [275] G0027 Threat Group-3390 Threat Group-3390 has used command-line interfaces for execution. [58] [276] S0004 TinyZBot TinyZBot supports execution from the command-line. [277] S0266 TrickBot TrickBot has…

…spawned shells on remote systems on a victim network to execute commands. [363] G0027 Threat Group-3390 Threat Group-3390 has used command-line interfaces for execution. [74] [364] S0668 TinyTurla TinyTurla has been installed using a .bat file. [365] S0004 TinyZBot TinyZBot suppo…

…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Kasza, A., H…

…red Spider has exfiltrated victim data to the MEGA file sharing site. [33] [34] G0027 Threat Group-3390 Threat Group-3390 has exfiltrated stolen data to Dropbox. [8] G1022 ToddyCat ToddyCat has used a DropBox uploader to exfiltrate stolen files. [28] G0010 Turla Turla has used We…

…f a known vulnerability in Microsoft Word (CVE 2012-0158) to execute code. [74] G0027 Threat Group-3390 Threat Group-3390 has exploited the Microsoft SharePoint vulnerability CVE-2019-0604. [75] G0131 Tonto Team Tonto Team has exploited Microsoft vulnerabilities, including CVE-20…

…ised web servers. [12] S0578 SUPERNOVA SUPERNOVA is a Web shell. [68] [69] [70] G0027 Threat Group-3390 Threat Group-3390 has used a variety of Web shells. [71] G0131 Tonto Team Tonto Team has used a first stage web shell after compromising a vulnerable Exchange server. [72] G008…

…ates issued by Mimecast to authenticate to Mimecast customer systems. [18] [19] G0027 Threat Group-3390 Threat Group-3390 has compromised third party service providers to gain access to victim's environments. [20] Mitigations ID Mitigation Description M1032 Multi-factor Authentic…

…sed websites with malicious content often masquerading as browser updates. [44] G0027 Threat Group-3390 Threat Group-3390 has extensively used strategic web compromises to target victims. [60] [61] G0134 Transparent Tribe Transparent Tribe has used websites with malicious hyperli…

… [70] TeamTNT has also used libprocesshider to modify /etc/ld.so.preload . [71] G0027 Threat Group-3390 Threat Group-3390 has used net use to conduct internal discovery of systems. The group has also used quser.exe to identify existing RDP sessions on a victim. [72] S0094 Trojan.…

…Veles TEMP.Veles has obtained and used tools such as Mimikatz and PsExec . [59] G0027 Threat Group-3390 Threat Group-3390 has obtained and used tools such as Impacket , pwdump , Mimikatz , gsecdump , NBTscan , and Windows Credential Editor . [60] [61] G0076 Thrip Thrip has obtain…

… XOR algorithm to execute a customized Cobalt Strike payload. [174] [175] [140] G0027 Threat Group-3390 During execution, Threat Group-3390 malware deobfuscates and decompresses code that was encoded with Metasploit’s shikata_ga_nai encoder as well as compressed with LZNT1 compre…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Pernet, C. (2014, July 11). Eye of the Tiger. Retrieved September 29, 2015. CISA. (2023, December 18). #Stop…

…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Per…

…es zmap and zgrab to search for vulnerable services in cloud environments. [75] G0027 Threat Group-3390 Threat Group-3390 actors use the Hunter tool to conduct network service discovery for vulnerable systems. [76] [77] G0081 Tropic Trooper Tropic Trooper used pr and an openly av…